~mdw
/
sgt
/
putty
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Sanitise freeing of DSA keys.
[sgt/putty]
/
sshdss.c
diff --git
a/sshdss.c
b/sshdss.c
index
1f15cee
..
8c9f93e
100644
(file)
--- a/
sshdss.c
+++ b/
sshdss.c
@@
-42,7
+42,7
@@
static void getstring(char **data, int *datalen, char **p, int *length)
*p = NULL;
if (*datalen < 4)
return;
*p = NULL;
if (*datalen < 4)
return;
- *length =
GET_32BIT(*data
);
+ *length =
toint(GET_32BIT(*data)
);
if (*length < 0)
return;
*datalen -= 4;
if (*length < 0)
return;
*datalen -= 4;
@@
-72,6
+72,9
@@
static Bignum get160(char **data, int *datalen)
{
Bignum b;
{
Bignum b;
+ if (*datalen < 20)
+ return NULL;
+
b = bignum_from_bytes((unsigned char *)*data, 20);
*data += 20;
*datalen -= 20;
b = bignum_from_bytes((unsigned char *)*data, 20);
*data += 20;
*datalen -= 20;
@@
-108,6
+111,7
@@
static void *dss_newkey(char *data, int len)
dss->q = getmp(&data, &len);
dss->g = getmp(&data, &len);
dss->y = getmp(&data, &len);
dss->q = getmp(&data, &len);
dss->g = getmp(&data, &len);
dss->y = getmp(&data, &len);
+ dss->x = NULL;
return dss;
}
return dss;
}
@@
-115,10
+119,16
@@
static void *dss_newkey(char *data, int len)
static void dss_freekey(void *key)
{
struct dss_key *dss = (struct dss_key *) key;
static void dss_freekey(void *key)
{
struct dss_key *dss = (struct dss_key *) key;
- freebn(dss->p);
- freebn(dss->q);
- freebn(dss->g);
- freebn(dss->y);
+ if (dss->p)
+ freebn(dss->p);
+ if (dss->q)
+ freebn(dss->q);
+ if (dss->g)
+ freebn(dss->g);
+ if (dss->y)
+ freebn(dss->y);
+ if (dss->x)
+ freebn(dss->x);
sfree(dss);
}
sfree(dss);
}
@@
-289,6
+299,8
@@
static int dss_verifysig(void *key, char *sig, int siglen,
freebn(w);
freebn(sha);
freebn(w);
freebn(sha);
+ freebn(u1);
+ freebn(u2);
freebn(gu1p);
freebn(yu2p);
freebn(gu1yu2p);
freebn(gu1p);
freebn(yu2p);
freebn(gu1yu2p);
@@
-404,6
+416,7
@@
static void *dss_createkey(unsigned char *pub_blob, int pub_len,
ytest = modpow(dss->g, dss->x, dss->p);
if (0 != bignum_cmp(ytest, dss->y)) {
dss_freekey(dss);
ytest = modpow(dss->g, dss->x, dss->p);
if (0 != bignum_cmp(ytest, dss->y)) {
dss_freekey(dss);
+ freebn(ytest);
return NULL;
}
freebn(ytest);
return NULL;
}
freebn(ytest);
@@
-427,11
+440,11
@@
static void *dss_openssh_createkey(unsigned char **blob, int *len)
dss->x = getmp(b, len);
if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) {
dss->x = getmp(b, len);
if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) {
-
sfree
(dss->p);
-
sfree
(dss->q);
-
sfree
(dss->g);
-
sfree
(dss->y);
-
sfree
(dss->x);
+
freebn
(dss->p);
+
freebn
(dss->q);
+
freebn
(dss->g);
+
freebn
(dss->y);
+
freebn
(dss->x);
sfree(dss);
return NULL;
}
sfree(dss);
return NULL;
}